San Diego, CA - "Phishing" emails are sent by scam artists and are disguised to look like they come for a legitimate financial institution or other online vendor such as eBay or PayPal. They are sent to unsuspecting consumers to dupe them into providing personal information such as name, adddress, phone number, credit card number and expiration date and Social Security number (SSN). Often, they couch their request by saying your account will be suspended or canceled if you do not respond within a certain time frame. The information provided can be used to place fraudulent charges on the credit or debit account numbers provided orto misuse a person's SSN to perpetrate identity theft. For more about phishing emails, see the PRC's alert at www.privacyrights.org/ar/phishing.htm.
The Privacy Rights Clearinghouse (PRC) is warning consumers about another form of fraud that can happen when online users reply to phishing emails. The personal information they provide might be used to register web site domains that bilk unwitting online users out of funds they believe are being used for legitimate transactions.
The PRC has received reports from those who have replied to phishing emails with their name, address and phone number who later learned that their personal information was used by the phisher to register web site domains. At times, if they also provided a legitimate credit card number, it may be used to pay for the web site registration, too.
The sites that are being registered using victims' information include bogus online escrow sites or web sites set up to look like legitimate banks. Such sites are intended to defraud consumers and those who have had their money taken, may contact the phishing victims to whom the site is registered or may get law enforcement involved. Most of the bogus web sites that have been set up are done so from other countries.
Unfortunately, companies that register domains do not necessarily verify information about the registrant before allowing the site to be established. Often, the unsuspecting phishing victim will not find out a site has been registered using their information until it's too late. Unfortunately, there is no way to verify if a web site has been registered using your personal information.
TIPS FOR CONSUMERS
Tell tale signs that you might be a victim of this scam:
- You replied to a phishing email.
- You receive a web site domain registration packet in the mail.
- You are contacted by a person who claims your site stole their money.
- You are contacted by law enforcement as part of an investigation into online fraud.
- You are contacted by individuals who track bogus web site registrations.
- You see charges on your credit or debit card statement for registering a domain that you do not recognize.
Your first step should be to find out the web site address that's registered to you. Once you know the web site, go to the site and print out the pages it contains.
Then, find the contact information for the company who registered the site in the domain registration records maintained by Who Is listings such as:
- Verisign's Who Is at http://registrar.verisign-grs.com/cgi-bin/whois?whois_nic=prbar.com&type=domain
The Internet Corporation for Assigned Names and Numbers (ICANN) orchestrates Internet Protocol (IP) address space allocation, the Domain Name System (DNS) which establishes domain names, and delegation of top-level domain names (such as .com, .info, etc.).
To submit a complaint to ICANN about a bogus web site registered to your name, go to:
The Federal Trade Commission (FTC) should also be notified if a web site is registered using your personal information. To file a complaint with the FTC, go to their home page at www.ftc.gov and click the link in the upper navigation bar for File a Complaint.
You can also contact the web site hosting company noted in the Who Is registry to have the site removed from the Internet. Unfortunately, some companies that register web site domains or host the web site are reluctant to assist those who ask for an investigation. For instance, registrars may ask for the credit card number that was used to register the site, to which the victim may not have access. Also, some registrars may not tell victims if there is more than one site that has been registered using their information. If you have difficulty in getting a domain registrar or web host to assist you with an investigation, contact the PRC by using our online inquiry form at www.privacyrights.org/inquiryform.htm for assistance.
The California Department of Corporations also provides additional tips for consumers to avoid bogus online escrow sites at www.corp.ca.gov/ole/ole.htm.
If you're looking for a reputable web site to conduct an online escrow transaction, check the web site carefully. A reputable web site will:
- Provide contact information such as a physical address and phone number, not just an email address, to contact them.
- Have contact information noted that corresponds with the Who Is registration information for the site. Exercise caution when using sites that note a location outside the U.S. especially if it does not correspond with its Who Is registration.
- Have encrypted web pages when you are asked to submit personal information (check for the https:// at the start of the web page address).
- For additional tips about online shopping and ensuring that a web site is legitimate, see the tips outlined in our Fact Sheet 23: E-Commerce and You: Online Shopping Tips at www.privacyrights.org/fs/fs23-shopping.htm.